Confidentiality guidance: Protecting information

12. You must make sure that any personal information about patients that you hold or control is effectively protected at all times against improper disclosure. The UK health departments publish guidance on how long health records should be kept and how they should be disposed of. You should follow the guidance whether or not you work in the NHS.4

13. Many improper disclosures are unintentional. You should not share identifiable information about patients where you can be overheard, for example in a public place or in an internet chat forum. You should not share passwords or leave patients’ records, either on paper or on screen, unattended or where they can be seen by other patients, unauthorised healthcare staff, or the public.

14. Unless they have a relevant management role, doctors are not expected to assess the security standards of large-scale computer systems provided for their use in the NHS or in other managed healthcare environments. You should familiarise yourself with and follow policies and procedures designed to protect patients’ privacy where you work and when using computer systems provided for your use. This includes policies on the use of laptops and portable media storage devices. You must not abuse your access privileges and must limit your access to information you have a legitimate reason to view.

15. If you are responsible for the management of patient records or other patient information, you should make sure that they are held securely and that any staff you manage are trained and understand their responsibilities. You should make use of professional expertise when selecting and developing systems to record, access and send electronic data.5 You should make sure that administrative information, such as names and addresses, can be accessed separately from clinical information so that sensitive information is not displayed automatically.

16. If you are concerned about the security of personal information in premises or systems provided for your use, you should follow the advice in Good medical practice on Raising concerns about patient safety, including concerns about confidentiality and information governance.